xmrig | 03b98d0f5ac74f2cc761db1c34fb36c88f2e026769459eea0b9b9d3ea8312ff9

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fad9fbf89d7103f7c2c1d58011ec094.exe
Size

1.5MB
MD5

0fad9fbf89d7103f7c2c1d58011ec094
SHA1

c4d3a84075af1416a94e43d15df8eb92b4a7ceba
SHA256

03b98d0f5ac74f2cc761db1c34fb36c88f2e026769459eea0b9b9d3ea8312ff9
SHA512

6691e8cd33bfc3adc8da209a0aa87995a43777597c07a7783c043cac17d0914b231eea0a84a729f573454fc5a36619c4d2013739008998622ff00839976b305a
SSDEEP

24576:hp3dpf1YHlKMnMlg1wqCIHzZKQfZakPJWPoUrB3A9n4YWmgeX04MXx2kSMvsWAOz:dsHl7SqCuflc5+M5eE4Mgk8O

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2268-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2268-15-0x0000000003440000-0x0000000003752000-memory.dmp	xmrig
behavioral1/memory/2268-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1212-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1212-25-0x0000000003020000-0x00000000031B3000-memory.dmp	xmrig
behavioral1/memory/1212-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1212-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1212-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1212	0fad9fbf89d7103f7c2c1d58011ec094.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	0fad9fbf89d7103f7c2c1d58011ec094.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	0fad9fbf89d7103f7c2c1d58011ec094.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a00000001224a-10.dat	upx
behavioral1/files/0x000a00000001224a-16.dat	upx
behavioral1/memory/1212-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2268	0fad9fbf89d7103f7c2c1d58011ec094.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2268	0fad9fbf89d7103f7c2c1d58011ec094.exe
1212	0fad9fbf89d7103f7c2c1d58011ec094.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1212	2268	0fad9fbf89d7103f7c2c1d58011ec094.exe	29
PID 2268 wrote to memory of 1212	2268	0fad9fbf89d7103f7c2c1d58011ec094.exe	29
PID 2268 wrote to memory of 1212	2268	0fad9fbf89d7103f7c2c1d58011ec094.exe	29
PID 2268 wrote to memory of 1212	2268	0fad9fbf89d7103f7c2c1d58011ec094.exe	29

C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe
"C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe
  C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe

Filesize
784KB

MD5
123f29b141ff899ff654a67fae46cb23

SHA1
2560d7d2f4304af16a2da913e960ddc6410bed3c

SHA256
352b7f269523332c4ee658fc8beff2577cbf2d0a8847faafc2fedb295cafc0e5

SHA512
89941263c188270c45e09d74d94fb88436ecfcefd3f7c03fecf94130943c16eecf0f72736446723cb7fadf00200e2b54be7b2793d4c8cad0eed39311431812d5

Download Submit
\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe

Filesize
192KB

MD5
3fca008f5aeaefee33c725d32ab3e3ec

SHA1
061d67a0ce51b04edcd9add689c4aa4ddeae6b52

SHA256
ebf91cbc8f6832bd562183aae5bb27d8a400c0b1ec78362e68ba0fa16a093714

SHA512
d0fc9dd0a4ba9b3b2f690c3610cc0ad5f6f245fbaae1285b4957e53c0f80c45355a4980e0b039337d6da06015b8d269d481f402890bc5900a955afb0e304434d

Download Submit
memory/1212-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1212-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1212-19-0x00000000002A0000-0x0000000000364000-memory.dmp

Filesize
784KB

Download
memory/1212-25-0x0000000003020000-0x00000000031B3000-memory.dmp

Filesize
1.6MB

Download
memory/1212-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1212-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1212-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2268-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2268-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2268-15-0x0000000003440000-0x0000000003752000-memory.dmp

Filesize
3.1MB

Download
memory/2268-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2268-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download